Sunday, October 1, 2017

The compromise of the Swiss diplomatic Enigma K cipher machine in WWII

In the course
of WWII the Allied and Axis codebreakers attacked not only the communications
of their enemies but also those of the neutral powers, such as Switzerland,
Spain, Portugal, Turkey, Ireland, the Vatican State and others (1).

Switzerland
was a traditionally neutral country but during the war it had close economic
relations with Germany and it also acted as an intermediary in negotiations
between the warring nations. Important international organizations like the Red
Cross and the Bank of
International Settlements were based in Switzerland.

Naturally
both the Allies and the Germans were interested in the communications of the
Swiss government.

Swiss
diplomatic codes and ciphers

The Swiss
Foreign Ministry used several cryptologic systems for securing its radio
messages. According to US reports (2) several codebooks were used, both
enciphered and unenciphered. These systems were of low cryptographic complexity
but had an interesting characteristic in that the same codebooks were available
in three languages.

French,
German and Italian were the recognized official languages of Switzerland. The
codebooks of the Swiss foreign ministry had versions in French, German and
English.

Apart from
codebooks the Swiss also used a number of commercial Enigma cipher machines at
their most important embassies.

The device
worked according to the Enigma principle with a scrambler unit containing an
entry plate, 3 cipher wheels and a reflector. Each of the cipher wheels had a
tyre, marked either with the letters of the alphabet or with the numbers 1-26,
settable in any position relative to the core wheel, which contained the
wiring. The tyre had a turnover notch on its left side which affected the
stepping motion of the device.

The position
of the tyre relative to the core was controlled by a clip called Ringstellung
(ring setting) and it was part of the cipher key, together with the
position of the 3 cipher wheels.

The
commercial version was different from the version used by the German Armed
Forces in that it lacked a plugboard
(stecker). Thus in German reports it was called unsteckered Enigma.

In 1938 the
Swiss government purchased 14 Enigma D
cipher machines, together with radio equipment. The next order was in 1939 for
another 65 machines and in 1940 they received 186 Enigma K machines in two
batches in May and July ’40. The Enigma cipher machines were used by the Swiss
Army, Air Force and the Foreign Ministry (3).

Military version

The majority
of the Enigma machines were used by the Swiss Armed Forces. Apparently the
Swiss were aware of the Enigma weaknesses so they modified their machines.

The wheels
were rewired and the stepping motion of the device was altered (4).

In regular
Enigma machines the movement of the rotors was predictable due to their having
only one notch. The fast rotor moved with every key depression, the middle
rotor moved once every 26 key depressions and the slow rotor (the left one)
moved only once every 676 key strokes (26x26).

The Swiss
military modified their Enigmas so that the middle rotor moved with every key
depression, instead of the one on the right.

During WWII
it seems that these security measures paid off since there is no indication
that either the Allies or the Axis were able to solve Swiss military Enigma
traffic.

US effort

The US and UK
effort was concentrated on the Swiss diplomatic Enigma traffic, thus it does
not seem like they were able to solve any military traffic.

The report ‘European
Axis Signal Intelligence in World War II’, vol1 (dated May 1946) says in the ‘Results of European Axis cryptanalysis’ -
Switzerland that the Enigma traffic
SZD-1 was solved but not SZD-2 and SZD-3.

SZD and SZD-1
were diplomatic traffic and it is possible that SZD-2 and SZD-3 were the US
designations for Swiss military traffic.

The special
research history SRH-361 ‘History of the Signal Security Agency volume two -
The general cryptanalytic problems’ mentions, in chapters VII and XVI,
the Swiss diplomatic Enigma but not the military version.

Thus there is
no indication that the Anglo-Americans solved the military traffic.

German effort

During WWII
the German Army made extensive use of signals intelligence and codebreaking in
its operations against enemy forces. German commanders relied on signals
intelligence in order to ascertain the enemy’s order of battle and track the
movements of units.

The German
Army’s signal intelligence agency operated a number of fixed intercept stations
and also had mobile units assigned to Army Groups. These units were called KONA
(Kommandeur der Nachrichtenaufklärung) - Signals Intelligence Regiment and each
had an evaluation centre, a stationary intercept company, two long range signal
intelligence companies and two close range signal intelligence.

The KONA
units did not have the ability to solve complicated Allied cryptosystems.
Instead they focused on exploiting low/mid level ciphers and even in this
capacity they were assisted by material sent to them by the central
cryptanalytic department. This was the German Army High Command’s Inspectorate 7/VI.

Inspectorate
7/VI had separate departments for the main Allied countries, for cipher
security, cipher research and for mechanical cryptanalysis (using punch card
machines and more specialized equipment).

Swiss ciphers
were worked on by Referat 3 (France, Switzerland, Spain, Portugal), headed by Sonderführer
Hans Wolfgang Kühn. In the period 1941-42 this department solved Swiss hand
ciphers and did some research on the Swiss military Enigma (5).

The War Diary
of Inspectorate 7/VI shows that in 1941 Swiss traffic was intercepted and
worked on by the fixed intercept station Strasbourg (Festen Horchstelle Strassburg). Some hand ciphers were solved but
by late ’41 it was clear that the Enigma machine was entering service and that
it would replace the old cipher procedures.

In late 1941
and early 1942 there were several meetings with officials of the Foreign
Ministry’s deciphering department Pers Z in order to discuss the Swiss Enigma
problem.

In October
1941 Kühn (head of Referat 3) and
dr Steinberg (member of the mathematical research department) met the Pers Z’s
dr Kunze and discussed the Swiss Enigma procedure. The Inspectorate 7/VI
officials wanted to clarify if the military version of the Swiss Enigma used
the same wheel wirings as the diplomatic one. However due to the limited
intercepted traffic it was not possible to solve this issue.

Sonderführer Kühn
and dr Kunze met again in January
and March 1942. The March ’42 report says that an Enigma machine with Swiss
wheel wirings was loaned to the department for a short time.

Dr Buggisch, an Army cryptanalyst who specialized on cipher
machines, examined the Swiss Army messages and worked out a theoretical method
of solution which however depended on knowing the wheel wirings (6).

Despite these efforts the Swiss military Enigma was not
solved and from August 1942 Swiss radio traffic was monitored but not actually
worked on.

Diplomatic version

According to
US and German reports (7) the diplomatic Enigma was used on the links
Bern-Washington, London, Berlin, Rome.

The
diplomatic Enigma machines were rewired by the Swiss but their stepping system
was not modified.

During WWII
both the Anglo-Americans and the German codebreakers were able to solve Swiss Enigma
diplomatic traffic.

US/UK effort

The
codebreakers of the US Army Security Agency devoted most of their resources
against German and Japanese ciphers but they did not neglect to solve the
cryptosystems of neutral countries.

The postwar
report 'Achievements of the Signal Security Agency
in World War II’ (dated February 1946) says in page 31 that ‘The traffic of the Swiss Government provided
cryptanalytic problems of moderate difficulty and owing to the fact that the
Swiss served as representatives of belligerents in many countries, Swiss
traffic was an important source of information’.

Swiss crypto
systems were worked on by a sub unit of the Romance Language Code Recovery
section, created in December 1942. The Swiss unit was joined with the French
Code Recovery unit in March 1943 but in August 1944 it was made independent
again. The unit worked on the Swiss codebooks while the Enigma traffic was
solved by the machine cipher section and the results passed to the Swiss unit
for further processing. The Swiss Enigma was designated system SZD and work on it started in December
1942, with the first translations issued in July 1943 (8).

The US
codebreakers cooperated closely with their British counterparts on the systems
of neutral countries, including Switzerland. The British had better coverage of
European radio traffic and had been working on these systems for a long time.

Regarding the
Swiss Enigma traffic the British had exclusive coverage of the link Bern-London
and the Americans of Bern-Washington (9).

According to
US reports (10) messages were either in French, German or English and numbers
were sandwiched between X and Y with the figures 1234567890 substituted by the
letters QWERTZUIOP respectively.

Up to late
1942 the internal settings (wheel order and ring settings) were valid for a
week and the same key was used for the links Bern-Washington-London.

The cipher
machine employed only 3 wheels which the Anglo-Americans called ‘Blue’, ‘Red’
and ‘Green’. The wheels however were rewired frequently. One set was used for
the period August ’42 - 6 April ’43 then new wirings for the period 7 April ’43
- 31 December ’43 and the last one mentioned in the report covers the period
January ’44 – October’44. These wirings were received by the British
codebreakers (11).

Originally
the indicator (showing the starting position of the rotors) was sent in the
clear but from August 1942 it was enciphered. The cipher clerk chose a random position
for the wheels and enciphered the ring setting on it to produce the message’s
setting.

In 1943 the cipher
procedure was changed and a large set of numbered keys were used with the internal
key (wheel order and ring settings) being determined by the serial number of
the message. The indicator procedure remained the same, with the cipher clerk
choosing a random setting for the wheels and enciphering the ring setting on it
to get the message’s key. Different numbered keys were introduced for each
link.

From February
1944 some messages were doubly enciphered. The first indicator worked in the
manner already described previously. Then the cipher clerk chose another random
4-letter indicator, set the wheels on it and enciphered the text one more time,
including the first indicator. The second indicator was sent in the clear as
the first group and repeated anywhere within the first ten groups of text.

The messages
were sent in 5-letter groups with the first 4 letters being the indicator. Some
messages had the following coded designations: Saturn, Wega, Merkur, Helos, Nira, Urania. These were indicators of
content with Wega referring to shipping and transport matters, Saturn dealing
with trade and Merkur with finance.

Example of
Swiss telegram (12):

Solution of
the Swiss Enigma depended on the use of stereotyped beginnings and on operator
mistakes. The Enigma settings were recovered by using ‘cribs’ (suspected plaintext in the ciphertext) and sometimes ‘cillies’ (mistakes/non random choices by
the cipher clerks) (13).

Occasionally
messages could be solved by using the indicators. As has been mentioned
previously each message had a 4-letter indicator, chosen by the cipher clerk.
After setting the wheels at the letters of the indicator the operator then
enciphered the ring setting on the machine in order to get the message key. The
4 letters of the external indicator were supposed to be chosen at random,
however sometimes the cipher clerks would choose the setting which they found
in their machine after setting up the ring setting clips. This was usually one
or two positions forward of the clip setting.

These non
random indicators could be exploited to solve the Enigma:

The Swiss
SIGABA

After
recovering the internal settings of the device and the message key it was
possible to decode the intercepted traffic.

Instead of
buying a commercial Enigma machine and rewiring it to Swiss specifications the
US codebreakers modified one of their SIGABA cipher
machines, thus turning it into a Swiss Enigma clone.

Content of
the messages

In general
Swiss diplomatic traffic was judged to be of low intelligence value. Most
messages dealt with Swiss trade, activities on behalf of the Red Cross,
prisoners of war, Swiss representation of interests of other countries,
conditions of neutrals in warring countries etc. Messages judged to be valuable
were those that dealt with Swiss trade, Swiss representation of the interests
of third countries and those concerning abuse of the Swiss diplomatic pouch.

Out of all
the Swiss crypto systems the Enigma cipher was the most important and in 1943
out of 906 Bern-Washington intercepts 266 were published in reports (14).

Effects of
improved security procedures

In 1943 the
introduction of a different rotor arrangement for each pair of messages
complicated the solution of Swiss Enigma traffic. From then on the US codebreakers
would have to identify the rotor order, the ring settings and the starting
position of the rotors for each two messages.

It seems that
due to the limited value of the Swiss messages and the significant resources
needed for regular solution of the individual key settings by late 1943 the
Swiss Enigma problem was downgraded in terms of importance and the traffic was
mostly used for training purposes. The keys to the Bern-London traffic were
received from the British (15).

German effort

Foreign
diplomatic codes and ciphers were worked on by three different German agencies,
the German High Command’s deciphering department – OKW/Chi, the
Foreign Ministry’s deciphering department Pers Z and the Air
Ministry’s Research Department - ReichsluftfahrtministeriumForschungsamt.

OKW/Chi
effort

At the High
Command’s deciphering department - OKW/Chi, Swiss diplomatic systems were
worked on by a subsection of main Department V. Depending on the source this
was either Section 5 (France, Switzerland), headed by dr Helmuth Mueller or
Section 2 (Switzerland), headed by dr Peters (16).

According to
dr Erich Hüttenhain, chief cryptanalyst of OKW/Chi, the Swiss Enigma machine
was solved by his unit. The wirings of the wheels changed every 3 months but
they were not changed on all the links simultaneously. The machines on the link
Bern-Washington continued to use the old wirings for some time thus these
messages could be solved and they provided ‘cribs’ which could be used to solve
the Bern-London traffic and recover the new wirings (17).

1). By using
‘depths’ (messages enciphered on the
same wheel settings):

‘If 20 to 25 messages of the same setting are
available then the solution of these messages can be done in an elementary
manner ie, the columns of the encoded texts written under one another in depth
are solved as a Spaltencasar. In this the reciprocity of the substitutions is
made use of to a great extent. In the solution procedure no other
characteristic of the machine is used. This is also valid for the elementary
solution of Stocker Enigma. After this elementary solution of the encoded texts
the determination of the machine setting presents no difficulties.’

2). By using
a ‘crib’ (suspected plaintext in the ciphertext) and taking advantage of the
regular stepping of the Enigma. In the example given the crib ‘gabinetto alt’ is used:

3). By using
the E-Leiste (E-List) method. This method was based on comparison of the frequency
of the letter E in clear text and in
the examined cipher text. According to the report this was only a theoretical
solution and it was not used in practice since the ‘crib’ method sufficed:

‘With the K-machine six different wheel
orders are possible. The adjustable Umkehr wheel can be set in twenty-six
different positions. The periods of the three moveable wheels is about 17,000
steps, There are therefore 6 x 26 = 156 different periods of 17,000 long
respectively possible. If in each of the 156 different periods the clear letter
e is encoded 17,000 times, then 156 rows of encoded elements results, each
17,000 long. All these rows of encoded elements are designated e-Leiste.

The clear letter e appears in German
with a frequency of 18%. If a German clear text encode with the K-machine is
moved through the e-Leiste and if in each position the corresponding encoded
elements are counted, then the correct phase position will have the maximum
cases of correspondence. In this the Ringstellung need not be considered. The
e-Leiste need only be prepared once. The comparison of the encoded text with
the e-Leiste would have to be carried out on a machine. In order to come to a
positive conclusion in a reasonable time, then several machines would have to
be used at the same time, even if one machine was capable of making 10,000
comparisons per second.

In GERMANY a practical solution with
the aid of the e-Leist was not carried out, as in, practice the method of solution
from a part compromise was always possible.’

Pers Z
effort

At the
Foreign Ministry’s deciphering department Swiss systems were worked on by a
group headed by Senior Specialist dr Wilhelm Brandes. This section, which dealt
with French, Dutch, Belgian, Swiss and Romanian ciphers, successfully solved several
Swiss codebooks and the Enigma machine.

In page 14 Dr
Rudolf Schauffler (head of Pers Z) said that ‘The commercial type Enigma used by the Swiss was sometimes solved by
stereotyped beginnings and known settings. The Swiss used to include in their
messages the machine settings for the next message’.

In page 20 it
says that ‘Dr. Brandes was unable to
state the exact dates when the Swiss Eniqma was read but said that it was read
completely for a considerable time. [Comment: the phrasing of his statement
implied that there was also a time when it was partially readable].

These statements
can be confirmed by the Pers Z file ‘Bericht
der Belgisch-Französisch-Schweizerischen Gruppe Stand 31.12.1941’ (19)
since it contains reports that mention the Swiss Enigma traffic.

The report of
Group Brandes for 1940 says that most of the Swiss diplomatic traffic was sent
using letter codebooks. However from the end of May 1940 traffic between
Bern-Berlin and Bern-London had been sent using the Enigma machine. According
to the report ‘a solution should be
possible with ample material and sufficient personnel’.

According to
the report for 1941 the Swiss Enigma was solved thanks to a partial solution
provided by the Forschungsamt. In order to process this traffic two Enigma
machines were purchased and rewired according to the Swiss specifications and
the results passed on to the FA. In some cases the inner settings of the device
were given in the telegrams. The machine was used on the links Bern - Berlin,
London, Washington.

Apart from
the Forschungsamt’s assistance there was also exchange of information between
Pers Z and Inspectorate 7/VI on the Swiss Enigma. A detailed report on the
solution of the commercial Enigma was found in the Pers Z files (20). This was
written by Inspectorate 7/VI mathematician dr Rudolf
Kochendörffer (21). It involved obtaining many messages in depth, reading
these messages by solving the successive (monoalphabetlc) columns of
superimposed text and then applying the resultant cribs to recovering the
wirings of the rotors.

Forschungsamt
effort

At the Air
Ministry’s Research Department Swiss systems were worked on by Abteilung 8,
Branch A, Section 3 (Holland,
Switzerland, Luxembourg, Abyssinia). The department had about 30-40 workers
(22).

According to
dr Martin Paetzel (deputy director of Main Department IV - Decipherment) ‘their main machine success was with the
Swiss Enigma as long as the same machine setting was used over a longish period’
(23).

More details
about the Forschungsamt solution of the Swiss Enigma are given by Bruno Kröger
in TICOM reports DF-240 and DF-241 (24). Kröger was the FA’s cipher machine
expert and during the war he solved several foreign cipher machines.

The Swiss
Enigma was first solved as a polyalphabetic substitution cipher, by processing
several messages sent on the same key. The solution of these ‘depths’ led to
the recovery of the wheel wirings and the further exploitation of the traffic.
When the wheels were rewired it was possible to recover the new settings by
using assumed plain text-cipher text cryptanalytic attacks. It took 5-6 workers
about 1-6 weeks to recover the wiring of the first rotor and then they could
quickly recover the wiring of the remaining two rotors.

Eventually
the use of enciphered indicators and individual internal keys for each message
(or pair of messages) made it too costly to work on this traffic, so the FA had
to give up on it. According to Kröger this decision was made in early 1944.

At the Swiss
Army’s Cipher Bureau (headed by Captain Arthur
Alder, a professor of mathematics at the University of Bern) a new cipher
machine was designed in the period 1941-43, for use by the country’s armed forces and
diplomatic authorities (25).

The device
was based on the Enigma principle with a scrambler unit containing wired rotors
and a reflector. However the new cipher machine, called NEMA, had a much more
complex stepping system than standard Enigmas. The device had 10 rotors, out
which 4 were the alphabet rotors, 1 was a reflector that could move during
encipherment and 5 stepping wheels controlling the motion of the device.

The NEMA (Neue Maschine) was much more secure than a commercial Enigma
machine and it entered service in 1947.

In 1948 a
letter was sent to the Swiss government. The letter was written by dr Kröger,
the Forschungsamt’s cipher machine expert, and in it he described how the Swiss
Enigma was solved during the war. His conclusion was that the commercial Enigma
could not satisfy the current security
requirements. Kröger then offered his services to the Swiss
government (26).